rchandraStargate Universe fan Premium Member join:2000-11-09 14225-2105 ARRIS ONT1000GJ4 EnGenius EAP1250
1 recommendation |
to leibold
Re: [ipv6] IPV6 advantageOne thing to clarify for our readers though, if I understand this correctly...IPSec is mandatory to implement in IPv6, but not mandatory to utilize. All this means is that to be IPv6 compliant, if a connection comes into me requesting IPSec, I must interchange packets using IPSec. When I initiate connections, it's my option whether to employ IPSec for that connection or not.
It's been my experience that the vast majority of IPv6 traffic does NOT have IPSec applied to it. |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
|
You are absolutely correct and I apologize if my comment mislead anybody into thinking otherwise.
Just using IPv6 doesn't mean all traffic is encrypted, however any standard compliant implementation of IPv6 must support and accept encrypted connections. This does make it easier to establish encrypted connections (vendor and platform independent). |
|
cramer Premium Member join:2007-04-10 Raleigh, NC
1 recommendation |
to rchandra
I thought they backed off the IPSec integration to make life easier on embedded platforms. (ipsec is not a tiny bit of code) |
|
rchandraStargate Universe fan Premium Member join:2000-11-09 14225-2105 ARRIS ONT1000GJ4 EnGenius EAP1250
|
rchandra
Premium Member
2012-Jun-1 3:50 pm
It's problematic anyway. Suppose I generate my own key and run an IKE daemon. How do you know me from the billiions of potential other people connected to the Internet? How can you assure yourself that there is no MitM attack going on? It's nigh on impossible.
The FreeSWAN folks attempted to get users to use Opportunistic Encryption as they called it. I think for the MitM/no PKI reasons it was never widely implemented. It was an extremely good (and ambitious) idea but I'm not too sure it had a secure foundation. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
to cramer
It's not that large.
m0n0wall has IPSec and the released version fits into a 16MB CF easily. The next release beta needs more but still fit easily into 32MB. |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
|
to cramer
I had read earlier discussions (pros and cons) for eliminating the mandatory implementation of IPSEC but my impression was that the status quo (IPSEC is mandatory in IPv6) was maintained.
I see now that RFC 6434 obsoletes an earlier IPv6 RFC about IPv6 Node Requirements (RFC 4294) and replaces the original MUST implement IPSEC with SHOULD implement (a weaker statement that allows omitting it).
Thanks for pointing that out. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to graysonf
Think "1MB flash" embedded devices. And the RAM required to actually run an IPv6 stack. Add those together and you have a long list of things out there that will absolutely never support IPv6. (and, btw, IPv6 ipsec is a lot more complex than a builtin https server.) |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
Tell me about a few 1MB flash devices out there. m0n0wall with IPSec runs comfortably in 128MB of RAM, and if you had to have a 128MB stick of RAM you'd have to look on the surplus market. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
1 recommendation |
cramer
Premium Member
2012-Jun-1 9:58 pm
What part of "embedded devices" did you miss? I'm not talking about your laptop or desktop computers. I'm talking about purpose built, fixed configuration devices. There are thousands of linksys, netgear, dlink, etc. devices that have very little flash and ram -- pretty much everyone has at least one of these in their house... a cable modem, or a dsl modem/router. (only recently made one have or (maybe) will have v6 support.) Not to mention the millions of other various IP connected devices... print servers, tv's, alarm/security systems, power monitors/switches, etc., etc. So many things we completely forget about many of them. |
|
rchandraStargate Universe fan Premium Member join:2000-11-09 14225-2105 ARRIS ONT1000GJ4 EnGenius EAP1250
1 recommendation |
rchandra
Premium Member
2012-Aug-28 4:35 pm
Thing is, when users of those devices realize the marginal utility of continuing to operate them, they will get "kicked to the curb"....much like many of the CRT and NTSC televisions are these days. Hardly a trash pickup day goes by on which I'm driving that I don't see at least one CRT-based TV set out for pickup. It's sad to see that kind of electronics waste, but with the ATSC transition, it was nearly inevitable. |
|